use Docker GitHub Builder to build and sign binaries and bin image #13568
Conversation
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
crazy-max
force-pushed
the
github-builder
branch
from
45cd7e3 to
3ce6653
Compare
| bin-image-test: | ||
| if: github.event_name == 'pull_request' | ||
| uses: docker/github-builder/.github/workflows/bake.yml@v1 | ||
| with: | ||
| runner: amd64 | ||
| target: image-cross | ||
| cache: true | ||
| cache-scope: bin-image-test | ||
| output: image | ||
| push: false | ||
| sbom: true | ||
| set-meta-labels: true | ||
| meta-images: | | ||
| compose-bin | ||
| meta-tags: | | ||
| type=ref,event=pr | ||
| meta-bake-target: meta-helper |
There was a problem hiding this comment.
This job is just for testing bin image job works properly on pull request event as the merge workflow doesn't have any pull request trigger atm.
| bin-image: | ||
| uses: docker/github-builder/.github/workflows/bake.yml@v1 | ||
| permissions: | ||
| contents: read # same as global permission | ||
| id-token: write # for signing attestation(s) with GitHub OIDC Token | ||
| with: | ||
| runner: amd64 | ||
| target: image-cross | ||
| cache: true | ||
| cache-scope: bin-image | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| set-meta-labels: true | ||
| meta-images: | | ||
| ${{ needs.bin-image-prepare.outputs.repo-slug }} | ||
| meta-tags: | | ||
| type=ref,event=tag | ||
| type=edge | ||
| meta-bake-target: meta-helper |
There was a problem hiding this comment.
With our reusable workflow, the build is distributed across runners using a matrix based on target platforms to be built, reducing the build time quite a lot.
Before ~14m:
Now ~3m:
|
Looking at new ci run, would need to update branch protection rule to remove the following jobs from required check: 
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
| target: release | ||
| output: local | ||
| sbom: true | ||
| sign: ${{ github.event_name != 'pull_request' }} |
There was a problem hiding this comment.
nice! I was looking for a way to get this into docker/compose and eventually kill compose-private, seems we are getting closer
There was a problem hiding this comment.
Yes for now we should keep compose-private for notarizing darwin and windows binaries.
3 participants
What I did
Similar to what we did in Buildx repo:
Switch to our Docker GitHub Builder to build and sign binaries and bin image.
For binaries, the sigstore bundle will be upload as asset to the GitHub Release. For the bin image the signature is an OCI artifact.